SEBI Update- Framework for Adoption of Cloud Services by SEBI Regulated Entities (REs)- 6th March, 2023

SEBI UPDATES JUNE 2023

SEBI vide its Circular dated 6th March, 2023 unveiled a framework for the adoption of cloud services.

Background:

Cloud computing is becoming increasingly popular for delivering IT services, thanks to its scalability, ease of deployment, and lower maintenance costs. However, it also introduces new cyber security risks and challenges that businesses need to be aware of. To   help   regulated   entities(REs)   navigate   these   risks,   SEBI vide   circular   no. SEBI/HO/ITD/ITD_VAPT/P/CIR/2023/033, dated March 6, 2023 has introduced a cloud framework that sets baseline standards for security and regulatory compliances. This framework is a crucial addition to SEBI’s existing guidelines on cloud computing and  is  designed  to  help  REs  implement  secure  and  compliant  cloud  adoption practices.

Objective:

The main objective of the framework for adoption of cloud services by SEBI regulated entities  (REs)  is  to  identify  and address  the  critical  risks  associated  with  cloud computing  and  to  establish  mandatory  control  measures  that  REs  must  implement before adopting cloud services. By following the guidelines outlined in the framework, REs can establish a robust risk management   approach   for   cloud   adoption,   which   includes   assessing   risks, implementing appropriate controls, monitoring compliance, and ensuring regulatory compliance.

Transition Period:

The transition Period for Regulated Entities is as follows:

  • For the  REs  which  are  not  utilizing  any  cloud  services  currently,  the  framework shall be applicable/ come into force from the date of issuance.
  • For REs currently utilizing cloud services, SEBI has allowed a grace period of up to  12  months  to  comply  with the  framework,  during  which  they  must  provide milestone-based  updates to demonstrate their progress towards full compliance. Additionally, such REs shall provide regular milestone-based updates as follows:
Sr No.TimelineMilestone
1.Within one (1) month of issuance of frameworkREs shall provide details of the cloud services, if any, currently deployed by them.
2.Within three (3) months of issuance of frameworkThe REs shall submit a roadmap (including details of major activities, timelines, etc.) for the implementation of the framework.
3.From three (3) to twelve (12) months of issuance of frameworkQuarterly progress report as per the roadmap submitted by the RE.
4.After twelve (12) months of issuance of frameworkCompliance with respect to the framework to be reported regularly

Scope:

As per NIST, cloud computing has four types of deployment models i.e

  • Public cloud
  • Community cloud
  • Private cloud
  • Hybrid cloud

Approach:

The cloud framework is a principle-based framework which covers Governance, Risk and Compliance (GRC), selection of Cloud Service Providers (CSPs), data ownership and  data  localization,  due-diligence  by  REs,  security  controls,  legal  and  regulatory obligations, Disaster Recover (DR) & Business Continuity Planning (BCP), and vendor lock-in risk.

These  principles  serve  as  general  guidelines  to  set  the  standards  for  REs  to  comply with while adopting cloud services. The principles are stated as below:

Principle 1: Governance, Risk and Compliance Sub-Framework

Principle 2: Selection of Cloud Service Providers

Principle 3: Data Ownership and Data Localization

Principle 4: Responsibility of the Regulated Entity
Principle 5: Due Diligence by the Regulated Entity

Principle 6: Security Controls

Principle 7: Contractual and Regulatory Obligations

Principle 8: BCP, Disaster Recovery & Cyber Resilience

Principle 9: Vendor Lock-in and Concentration Risk Management

The given framework  will  enable  REs  to  improve  their  overall  IT  resilience  and  reduce cybersecurity  risks,  while  ensuring  regulatory  compliance. By  adhering  to  the guidelines  outlined  in  the  framework,  REs  can  minimize  the  risks  associated  with cloud adoption and make informed decisions about implementing cloud services. The detailed framework is enclosed at Annexure-1 of the given circular.

This Circular is applicable to following Regulated Entities: Stock Exchanges, Clearing Corporations, Depositories, Stock Brokers through Exchanges, Depository Participants through Depositories, Asset Management Companies (AMCs)/ Mutual Funds (MFs), Qualified Registrars to an Issue and Share Transfer Agents, KYC Registration Agencies (KRAs) and shall come into force with immediate effect.

  Link: https://www.sebi.gov.in/legal/circulars/mar-2023/framework-for-adoption-of-cloud-services-by-sebi-regulated-entities-res-_68740.html  

About the Author

Leave a Reply

Your email address will not be published. Required fields are marked *

You may also like these

Skip to content